Hi, we have just setup a brand new Horizon Environment with the latest version. We have A 10 LB that goes to 2 UAGs that point to 2 Connection servers. We are trying to setup Microsoft Azure and have gone though the guides to get it setup. We open the VMware client. Double click on the server and it goes to a MS login page. We login and get the 2FA prompt and then it just sits at a URL ending in https://lb-vip-fqdn/portal/samlsso and spins and spins but nothing. Anyone have any suggestion to what I might have missed or how to fix this issue?
Ciao
The link that does not respond to you is the one that is configured in the Enterprise Application on Azure.
Can you confirm that you have imported the XML metadata of the enterprise applications azure on the UAG?
(If you have not done so, check this link where I explain the whole procedure:
https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-4/)
Otherwise, there may be something in the configurations of the LB.
Hi thank you for this. I am pretty sure this is all setup and I have uploaded the metadata file into the UAGs. Couple questions. In your guide you have this - https://<public-FQDN-UAG>/portal/samlsso for the URL. If our UAGs are Loadbalanced can I get away with putting the LB VIP so its just https://lb-vip-fqdn.test.com/portal/samlsso? Or in Azure would I need two entries for each UAG we have?
Also what needs to be done or what can I look for on the LB that might show the issue is there? Thanks.
If you use an LB appliance (as in your case) you must use the public FQDN assigned to the VIP IP of the LB configured for UAGs.
If, on the other hand, you use the integrated solution present in the LB UAGs, you must also publish the individual IPs of the UAGs (in addition to the VIP) on the internet but it does not seem your situation to me.
Do you have any errors in the UAG logs?
Ciao
Can you post the Basic SAML Configurations applyed on Azure Enterprise Application used?
Your LB does not replace or inspect the SSL certificate of UAG?
The SSL certificate used in the UAG is released from a public CA?
We are using a wildcard cert on the lb/uag. Everything works fine without adding this Azure Authentication piece. Here is my config:
Ciao,
But do you have a public doman test.com? Or is It a example?
That is just an example.
I am actually troubleshooting now with Microsoft and when doing a test via Azure portal to - https://horizon.test.com/portal/samlsso the page comes up with an HTTP 500 error.
It is very strange. We deleted all Browsing history closed all Chrome Windows. Open it back up and it works. But after the first time it works it doesnt work again.
Ciao
you always have the same problem if you use Chrome in incognito mode?
Otherwise it could be a configuration problem of one of the two connection servers or of one of the two UAGs. Try testing with only one UAG and one Connection server active (alternating between one another).
Tried testing with just one uag and one connection server and still have the same behavior. It almost seems like after you connect the first time it leaves something in Chrome so that when you try and connect the second time it gets hung up. I have a ticket open with both VMware and Microsoft but if no one else is experiencing this then I have to think it is something with my setup? Very frustrating as we want to deploy this by end of the month.
I have deployed MFA, UAG and Horizon infrastructures with F5 or Kemp as balancers and have never had this kind of problem. Could it be something related to your LB, is session persistence configured?
I found the following guide but I don't know if it relates to your LB model.
Do you have the same problem with EDGE or Firefox too?
We have the same problem with Firefox but not Edge. MS just let us know that it is the way the SAML2 AuthRequest is being processed in Chrome. It is not being written in a way that Chrome can read it. Which doesnt make much sense as it works once with Chrome then stops working.
We used that guide you sent to setup our LB. I don't really think its the LB as it works all the time on MS Edge. But I dont get why our instance is different then anyone else using this configuration and Chrome browser? Very frustrating.
Ok, latest update - It is the Load Balancer. I just created a new Enterprise Application and went direct to one of the UAGs. Uploaded the new metadata file and then add a new server in the Horizon Client that pointed directly to that UAG. It works every time in Chrome. So the Load Balancer must be doing something??? Ugh.....
